Donations as a vector for spam

Dec.
2nd
2018

Several large open source projects are using the open collective platform to raise the funds that it takes to sustain themselves. This is a good thing! Open source financing is an issue that is only going to become more important, and open collective is probably one of the more promising solutions that I’ve seen so far. It seems, though, that bad actors have realised that they can also use it to benefit themselves.

Webpack is one of those projects. Webpack is an asset bundling tool for the web, and it’s extremely widely used, having been downloaded 4.5M times from NPM in the last week. To incentivise donations, webpack’s sponsors are displayed prominently on their home page, including a link back to the sponsor’s own website. At some point, spammers noticed this and have been making small donations with links back to spammy gambling sites. In fact, 30 of the 53 recent donations are obvious spam. Those donations add up to a total of $72 - I wonder how that compares to the going rate for 30 backlinks to your website.

What that means is that this:

Should really look like this:

Ok, and?

Spam sucks, but at least webpack’s getting paid, right? Not really, because this actually presents a danger to both webpack & open collective. Chances are these payments are coming from stolen cards. If that’s true, some victims will inevitably notice and end up having the charges reversed, at which point open collective’s credit card processor will hit them with a fee.
For webpack, having lots of spammy outgoing links sounds like a good way for their own website to get penalised by search engines. Plus, because the links are being opened in a new browser tab and adequate precautions have not been taken, once a user clicks the spammer’s links their original browser tab is vulnerable to being hijacked in the background.

Stopping fraudulent donations is a problem for open collective to solve, but what can webpack do about this in the mean time? Well, they should probably start by adding rel='noopener nofollow' to the outgoing links, which will achieve two things:

noopener is a fix for the security issue when linking to sites you don’t control with target='_blank'. You can read about how that works here.